Option to toggle off CSRF token as url parameter

[Asskali]

Expected Behavior

It should be possible to introduce a toggle that toggles the option of sending in the CSRF token as a URL parameter, and only allows for it as a header.

Current Behavior
When activating CSRF protection you have the option to send in the token as either a header or a URL parameter.

Context

[jzheaux]

Thanks for the suggestion, @Asskali.

I think you are saying you'd like to be able to configure Spring Security to disallow CSRF tokens as URL parameters. It sounds reasonable to add CsrfFilter#setAllowRequestParameter(boolean).

Are you able to provide a pull request? If so, please base it off of 5.8.x.

[Asskali]

Hi!

That's exactly what I wish to do, I'll work on a pull request soon!

[rwinch]

We should consider what happens to the CsrfToken.getParameterName() for this. Note that the Javadoc states it cannot be null. We should also consider how the taglibs support is impacted. It doesn't make sense for CSRF token to be included as a hidden input if CSRF tokens will not be read from HTTP parameters. Another consideration is how this works if there are multiple SecurityFilterChain with different configurations.